The problem identified of connecting an individual to the key is valid. But if a multi-factor identity token is used to sign a message, then that moves the repudiation back to existing law (lost/stolen token claim, etc.) vice a technological exploit.